DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1
|
function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [Parameter()] [System.String] $Identity, [Parameter(Mandatory = $true)] [System.String] $DisplayName, [Parameter()] [System.String] $Description, [Parameter()] [System.String[]] $AttackSurfaceReductionOnlyExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockAbuseOfExploitedVulnerableSignedDrivers, [Parameter()] [System.String[]] $BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockAdobeReaderFromCreatingChildProcesses, [Parameter()] [System.String[]] $BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockAllOfficeApplicationsFromCreatingChildProcesses, [Parameter()] [System.String[]] $BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem, [Parameter()] [System.String[]] $BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockExecutableContentFromEmailClientAndWebmail, [Parameter()] [System.String[]] $BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion, [Parameter()] [System.String[]] $BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockExecutionOfPotentiallyObfuscatedScripts, [Parameter()] [System.String[]] $BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent, [Parameter()] [System.String[]] $BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockOfficeApplicationsFromCreatingExecutableContent, [Parameter()] [System.String[]] $BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses, [Parameter()] [System.String[]] $BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockOfficeCommunicationAppFromCreatingChildProcesses, [Parameter()] [System.String[]] $BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockPersistenceThroughWMIEventSubscription, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockProcessCreationsFromPSExecAndWMICommands, [Parameter()] [System.String[]] $BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockRebootingMachineInSafeMode, [Parameter()] [System.String[]] $BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockUntrustedUnsignedProcessesThatRunFromUSB, [Parameter()] [System.String[]] $BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockUseOfCopiedOrImpersonatedSystemTools, [Parameter()] [System.String[]] $BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockWebShellCreationForServers, [Parameter()] [System.String[]] $BlockWebshellCreationForServers_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockWin32APICallsFromOfficeMacros, [Parameter()] [System.String[]] $BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $UseAdvancedProtectionAgainstRansomware, [Parameter()] [System.String[]] $UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions, [Parameter()] [System.String[]] $ControlledFolderAccessProtectedFolders, [Parameter()] [System.String[]] $ControlledFolderAccessAllowedApplications, [Parameter()] [ValidateSet('0', '1', '2')] [System.String] $EnableControlledFolderAccess, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, [Parameter()] [System.String] [ValidateSet('Absent', 'Present')] $Ensure = 'Present', [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity, [Parameter()] [System.String[]] $AccessTokens ) try { Write-Verbose -Message "Checking for the Intune Endpoint Protection Attack Surface Protection rules Policy {$DisplayName}" $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters ` -ErrorAction Stop #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion $nullResult = $PSBoundParameters $nullResult.Ensure = 'Absent' $templateReferenceId = 'e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1' #Retrieve policy general settings $policy = $null $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ErrorAction SilentlyContinue if ($null -eq $policy) { Write-Verbose -Message "No Endpoint Protection Attack Surface Reduction Rules Policy {$Identity} was found" if (-not [System.String]::IsNullOrEmpty($DisplayName)) { $policy = Get-MgBetaDeviceManagementConfigurationPolicy ` -Filter "Name eq '$DisplayName' and templateReference/TemplateId eq '$templateReferenceId'" ` -ErrorAction SilentlyContinue } } if ($null -eq $policy) { Write-Verbose -Message "No Endpoint Protection Attack Surface Reduction Rules Policy {$DisplayName} was found" return $nullResult } $Identity = $policy.Id Write-Verbose -Message "Found Endpoint Protection Attack Surface Reduction Rules Policy with Id {$Identity} and Name {$DisplayName)}." #Retrieve policy specific settings [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` -DeviceManagementConfigurationPolicyId $Identity ` -ExpandProperty 'settingDefinitions' ` -ErrorAction Stop $returnHashtable = @{} $returnHashtable.Add('Identity', $Identity) $returnHashtable.Add('DisplayName', $policy.name) $returnHashtable.Add('Description', $policy.description) $returnHashtable = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $returnHashtable $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Identity $assignmentResult = @() if ($assignmentsValues.Count -gt 0) { $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true } $returnHashtable.Add('Assignments', $assignmentResult) $returnHashtable.Add('Ensure', 'Present') $returnHashtable.Add('Credential', $Credential) $returnHashtable.Add('ApplicationId', $ApplicationId) $returnHashtable.Add('TenantId', $TenantId) $returnHashtable.Add('ApplicationSecret', $ApplicationSecret) $returnHashtable.Add('CertificateThumbprint', $CertificateThumbprint) $returnHashtable.Add('ManagedIdentity', $ManagedIdentity.IsPresent) $returnHashtable.Add('AccessTokens', $AccessTokens) return $returnHashtable } catch { New-M365DSCLogEntry -Message 'Error retrieving data:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential return $nullResult } } function Set-TargetResource { [CmdletBinding()] param ( [Parameter()] [System.String] $Identity, [Parameter(Mandatory = $true)] [System.String] $DisplayName, [Parameter()] [System.String] $Description, [Parameter()] [System.String[]] $AttackSurfaceReductionOnlyExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockAbuseOfExploitedVulnerableSignedDrivers, [Parameter()] [System.String[]] $BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockAdobeReaderFromCreatingChildProcesses, [Parameter()] [System.String[]] $BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockAllOfficeApplicationsFromCreatingChildProcesses, [Parameter()] [System.String[]] $BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem, [Parameter()] [System.String[]] $BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockExecutableContentFromEmailClientAndWebmail, [Parameter()] [System.String[]] $BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion, [Parameter()] [System.String[]] $BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockExecutionOfPotentiallyObfuscatedScripts, [Parameter()] [System.String[]] $BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent, [Parameter()] [System.String[]] $BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockOfficeApplicationsFromCreatingExecutableContent, [Parameter()] [System.String[]] $BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses, [Parameter()] [System.String[]] $BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockOfficeCommunicationAppFromCreatingChildProcesses, [Parameter()] [System.String[]] $BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockPersistenceThroughWMIEventSubscription, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockProcessCreationsFromPSExecAndWMICommands, [Parameter()] [System.String[]] $BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockRebootingMachineInSafeMode, [Parameter()] [System.String[]] $BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockUntrustedUnsignedProcessesThatRunFromUSB, [Parameter()] [System.String[]] $BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockUseOfCopiedOrImpersonatedSystemTools, [Parameter()] [System.String[]] $BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockWebShellCreationForServers, [Parameter()] [System.String[]] $BlockWebshellCreationForServers_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockWin32APICallsFromOfficeMacros, [Parameter()] [System.String[]] $BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $UseAdvancedProtectionAgainstRansomware, [Parameter()] [System.String[]] $UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions, [Parameter()] [System.String[]] $ControlledFolderAccessProtectedFolders, [Parameter()] [System.String[]] $ControlledFolderAccessAllowedApplications, [Parameter()] [ValidateSet('0', '1', '2')] [System.String] $EnableControlledFolderAccess, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, [Parameter()] [System.String] [ValidateSet('Absent', 'Present')] $Ensure = 'Present', [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity, [Parameter()] [System.String[]] $AccessTokens ) $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion $currentPolicy = Get-TargetResource @PSBoundParameters $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters $templateReferenceId = 'e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1' $platforms = 'windows10' $technologies = 'mdm,microsoftSense' if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Absent') { Write-Verbose -Message "Creating new Endpoint Protection Attack Surface Reduction Rules Policy {$DisplayName}" $BoundParameters.Remove('Assignments') | Out-Null $BoundParameters.Remove('Identity') | Out-Null $settings = Get-IntuneSettingCatalogPolicySetting ` -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` -TemplateId $templateReferenceId $createParameters = @{ Name = $DisplayName Description = $Description TemplateReference = @{templateId = $templateReferenceId } Platforms = $platforms Technologies = $technologies Settings = $settings } $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters #region Assignments if ($policy.Id) { $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $policy.Id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/configurationPolicies' } } elseif ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present') { Write-Verbose -Message "Updating existing Endpoint Protection Attack Surface Reduction Rules Policy {$DisplayName}" $BoundParameters.Remove('Assignments') | Out-Null $BoundParameters.Remove('Identity') | Out-Null $settings = Get-IntuneSettingCatalogPolicySetting ` -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` -TemplateId $templateReferenceId Update-IntuneDeviceConfigurationPolicy ` -DeviceConfigurationPolicyId $currentPolicy.Identity ` -Name $DisplayName ` -Description $Description ` -TemplateReferenceId $templateReferenceId ` -Platforms $platforms ` -Technologies $technologies ` -Settings $settings #region Assignments $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentPolicy.Identity ` -Targets $assignmentsHash ` -Repository 'deviceManagement/configurationPolicies' #endregion } elseif ($Ensure -eq 'Absent' -and $currentPolicy.Ensure -eq 'Present') { Write-Verbose -Message "Removing Endpoint Protection Attack Surface Reduction Rules Policy {$DisplayName}" Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentPolicy.Identity } } function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param ( [Parameter()] [System.String] $Identity, [Parameter(Mandatory = $true)] [System.String] $DisplayName, [Parameter()] [System.String] $Description, [Parameter()] [System.String[]] $AttackSurfaceReductionOnlyExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockAbuseOfExploitedVulnerableSignedDrivers, [Parameter()] [System.String[]] $BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockAdobeReaderFromCreatingChildProcesses, [Parameter()] [System.String[]] $BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockAllOfficeApplicationsFromCreatingChildProcesses, [Parameter()] [System.String[]] $BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem, [Parameter()] [System.String[]] $BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockExecutableContentFromEmailClientAndWebmail, [Parameter()] [System.String[]] $BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion, [Parameter()] [System.String[]] $BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockExecutionOfPotentiallyObfuscatedScripts, [Parameter()] [System.String[]] $BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent, [Parameter()] [System.String[]] $BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockOfficeApplicationsFromCreatingExecutableContent, [Parameter()] [System.String[]] $BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses, [Parameter()] [System.String[]] $BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockOfficeCommunicationAppFromCreatingChildProcesses, [Parameter()] [System.String[]] $BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockPersistenceThroughWMIEventSubscription, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockProcessCreationsFromPSExecAndWMICommands, [Parameter()] [System.String[]] $BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockRebootingMachineInSafeMode, [Parameter()] [System.String[]] $BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockUntrustedUnsignedProcessesThatRunFromUSB, [Parameter()] [System.String[]] $BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockUseOfCopiedOrImpersonatedSystemTools, [Parameter()] [System.String[]] $BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockWebShellCreationForServers, [Parameter()] [System.String[]] $BlockWebshellCreationForServers_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $BlockWin32APICallsFromOfficeMacros, [Parameter()] [System.String[]] $BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions, [Parameter()] [ValidateSet('off', 'block', 'audit', 'warn')] [System.String] $UseAdvancedProtectionAgainstRansomware, [Parameter()] [System.String[]] $UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions, [Parameter()] [System.String[]] $ControlledFolderAccessProtectedFolders, [Parameter()] [System.String[]] $ControlledFolderAccessAllowedApplications, [Parameter()] [ValidateSet('0', '1', '2')] [System.String] $EnableControlledFolderAccess, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, [Parameter()] [System.String] [ValidateSet('Absent', 'Present')] $Ensure = 'Present', [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity, [Parameter()] [System.String[]] $AccessTokens ) #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion Write-Verbose -Message "Testing configuration of Endpoint Protection Attack Surface Reduction Rules Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = @{} $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) { if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) { $ValuesToCheck.Add($_.Key, $null) if (-not $PSBoundParameters.ContainsKey($_.Key)) { $PSBoundParameters.Add($_.Key, $null) } } } } if ($CurrentValues.Ensure -ne $Ensure) { Write-Verbose -Message "Test-TargetResource returned $false" return $false } $testResult = $true #Compare Cim instances foreach ($key in $PSBoundParameters.Keys) { $source = $PSBoundParameters.$key $target = $CurrentValues.$key if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') { $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) if (-not $testResult) { break } $ValuesToCheck.Remove($key) | Out-Null } } $ValuesToCheck.Remove('Identity') | Out-Null $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" if ($testResult) { $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys } Write-Verbose -Message "Test-TargetResource returned $testResult" return $testResult } function Export-TargetResource { [CmdletBinding()] [OutputType([System.String])] param ( [Parameter()] [System.String] $Filter, [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity, [Parameter()] [System.String[]] $AccessTokens ) $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion $dscContent = '' $i = 1 try { $policyTemplateId = 'e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1' [array]$policies = Get-MgBetaDeviceManagementConfigurationPolicy ` -Filter $Filter ` -All ` -ErrorAction Stop | Where-Object -FilterScript { $_.TemplateReference.TemplateId -eq $policyTemplateId } if ($policies.Length -eq 0) { Write-Host $Global:M365DSCEmojiGreenCheckMark } else { Write-Host "`r`n" -NoNewline } foreach ($policy in $policies) { if ($null -ne $Global:M365DSCExportResourceInstancesCount) { $Global:M365DSCExportResourceInstancesCount++ } Write-Host " |---[$i/$($policies.Count)] $($policy.Name)" -NoNewline $params = @{ Identity = $policy.Id DisplayName = $policy.Name Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens } $Results = Get-TargetResource @params $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results if ($Results.Assignments) { $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName DeviceManagementConfigurationPolicyAssignments if ($complexTypeStringResult) { $Results.Assignments = $complexTypeStringResult } else { $Results.Remove('Assignments') | Out-Null } } $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` -Results $Results ` -Credential $Credential if ($Results.Assignments) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true } $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName $i++ Write-Host $Global:M365DSCEmojiGreenCheckMark } return $dscContent } catch { if ($_.Exception -like '*401*' -or $_.ErrorDetails.Message -like "*`"ErrorCode`":`"Forbidden`"*" -or ` $_.Exception -like "*Request not applicable to target tenant*") { Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) The current tenant is not registered for Intune." } else { Write-Host $Global:M365DSCEmojiRedX New-M365DSCLogEntry -Message 'Error during Export:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential } return '' } } Export-ModuleMember -Function *-TargetResource |